Merge branch 'main' into main

Author: NickLarsenNZ

.github/ISSUE_TEMPLATE/release-from-scratch-testing.md

@@ -85,3 +85,32 @@ stackablectl demo install <DEMO_NAME>
 # --- IMPORTANT ---
 # Run through the nightly demo instructions (refer to the list above).
 ```
+
+## List of Stacks
+
+Some stacks are not used by demos, but still need testing in some way.
+
+> [!TIP]
+> Some of the stacks have a [tutorial](https://docs.stackable.tech/home/nightly/tutorials/) to follow.
+
+<!--
+    The following list was generated by:
+
+    # Using the real `yq` that follows the same interface as `jq`
+    yq -y --slurp '.[0] * .[1] | .allStacks - .usedStacks' \
+        <(cat demos/demos-v2.yaml| yq '{usedStacks: [.demos[] | .stackableStack]}') \
+        <(cat stacks/stacks-v2.yaml | yq '{allStacks: [.stacks | keys] | flatten}') \
+    | sed -e 's/^- /- [ ] /g' \
+    | sort
+-->
+
+- [ ] monitoring
+- [ ] observability
+- [ ] openldap
+- [ ] tutorial-openldap
+
+You can install the stack via:
+
+```shell
+stackablectl stack install <STACK_NAME> --release dev
+```

.github/workflows/dev_nifi.yaml

@@ -25,5 +25,5 @@ jobs:
       image-name: nifi
       # TODO (@NickLarsenNZ): Use a versioned image with stackable0.0.0-dev or stackableXX.X.X so that
       # the demo is reproducable for the release and it will be automatically replaced for the release branch.
-      image-version: 2.4.0-postgresql
+      image-version: 2.6.0-postgresql
       containerfile-path: demos/signal-processing/Dockerfile-nifi

demos/airflow-scheduled-job/01-airflow-demo-clusterrole.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: airflow-demo-clusterrole
+rules:
+- apiGroups:
+    - spark.stackable.tech
+  resources:
+    - sparkapplications
+  verbs:
+    - create
+    - get
+    - list
+- apiGroups:
+    - apps
+  resources:
+    - statefulsets
+  verbs:
+    - get
+    - watch
+    - list
+- apiGroups:
+    - ""
+  resources:
+    - persistentvolumeclaims
+  verbs:
+    - list
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    - get
+    - watch
+    - list
+- apiGroups:
+    - ""
+  resources:
+    - pods/exec
+  verbs:
+    - create

demos/airflow-scheduled-job/01-airflow-spark-clusterrole.yaml

@@ -2,11 +2,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: airflow-spark-clusterrole-binding
+  name: airflow-demo-clusterrole-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: airflow-spark-clusterrole
+  name: airflow-demo-clusterrole
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group

…02-airflow-spark-clusterrolebinding.yaml …/02-airflow-demo-clusterrolebinding.yamldemos/airflow-scheduled-job/02-airflow-spark-clusterrolebinding.yaml renamed to demos/airflow-scheduled-job/02-airflow-demo-clusterrolebinding.yaml demos/airflow-scheduled-job/02-airflow-spark-clusterrolebinding.yaml renamed to demos/airflow-scheduled-job/02-airflow-demo-clusterrolebinding.yaml

@@ -9,10 +9,12 @@ spec:
       containers:
         - name: start-pyspark-job
           image: oci.stackable.tech/sdp/tools:1.0.0-stackable0.0.0-dev
-          # N.B. it is possible for the scheduler to report that a DAG exists, only for the worker task to fail if a pod is unexpectedly
-          # restarted. Additionally, the db-init job takes a few minutes to complete before the cluster is deployed. The wait/watch steps
-          # below are not "water-tight" but add a layer of stability by at least ensuring that the db is initialized and ready and that
-          # all pods are reachable (albeit independent of each other).
+          # N.B. it is possible for the scheduler to report that a DAG exists,
+          # only for the worker task to fail if a pod is unexpectedly
+          # restarted. The wait/watch steps below are not "water-tight" but add
+          # a layer of stability by at least ensuring that the cluster is
+          # initialized and ready and that all pods are reachable (albeit
+          # independent of each other).
           command:
           - bash
           - -euo

demos/airflow-scheduled-job/03-enable-and-run-spark-dag.yaml

@@ -9,10 +9,12 @@ spec:
       containers:
         - name: start-date-job
           image: oci.stackable.tech/sdp/tools:1.0.0-stackable0.0.0-dev
-          # N.B. it is possible for the scheduler to report that a DAG exists, only for the worker task to fail if a pod is unexpectedly
-          # restarted. Additionally, the db-init job takes a few minutes to complete before the cluster is deployed. The wait/watch steps
-          # below are not "water-tight" but add a layer of stability by at least ensuring that the db is initialized and ready and that
-          # all pods are reachable (albeit independent of each other).
+          # N.B. it is possible for the scheduler to report that a DAG exists,
+          # only for the worker task to fail if a pod is unexpectedly
+          # restarted. The wait/watch steps below are not "water-tight" but add
+          # a layer of stability by at least ensuring that the cluster is
+          # initialized and ready and that all pods are reachable (albeit
+          # independent of each other).
           command:
           - bash
           - -euo

demos/airflow-scheduled-job/04-enable-and-run-date-dag.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: start-kafka-job
+spec:
+  template:
+    spec:
+      containers:
+        - name: start-kafka-job
+          image: oci.stackable.tech/sdp/tools:1.0.0-stackable0.0.0-dev
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          # N.B. it is possible for the scheduler to report that a DAG exists,
+          # only for the worker task to fail if a pod is unexpectedly
+          # restarted. The wait/watch steps below are not "water-tight" but add
+          # a layer of stability by at least ensuring that the cluster is
+          # initialized and ready and that all pods are reachable (albeit
+          # independent of each other).
+          command:
+          - bash
+          - -euo
+          - pipefail
+          - -c
+          - |
+              # Kafka: wait for cluster
+              kubectl rollout status --watch statefulset/kafka-broker-default
+              kubectl rollout status --watch statefulset/kafka-controller-default
+
+              # Kafka: create consumer offsets topics (required for group coordinator)
+              kubectl exec kafka-broker-default-0 -c kafka -- \
+                /stackable/kafka/bin/kafka-topics.sh \
+                --bootstrap-server kafka-broker-default-0-listener-broker.$(NAMESPACE).svc.cluster.local:9093 \
+                --create \
+                --if-not-exists \
+                --topic __consumer_offsets \
+                --partitions 50 \
+                --replication-factor 1 \
+                --config cleanup.policy=compact \
+                --command-config /stackable/config/client.properties
+
+              # Airflow: wait for cluster
+              kubectl rollout status --watch statefulset/airflow-webserver-default
+              kubectl rollout status --watch statefulset/airflow-scheduler-default
+
+              # Airflow: activate DAG
+              AIRFLOW_ADMIN_PASSWORD=$(cat /airflow-credentials/adminUser.password)
+              ACCESS_TOKEN=$(curl -XPOST http://airflow-webserver-default-headless:8080/auth/token -H 'Content-Type: application/json' -d '{"username": "admin", "password": "'$AIRFLOW_ADMIN_PASSWORD'"}' | jq -r .access_token)
+              curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Content-Type: application/json' -XPATCH http://airflow-webserver-default-headless:8080/api/v2/dags/kafka_watcher -d '{"is_paused": false}' | jq
+
+              # Kafka: produce a message to create the topic
+              kubectl exec kafka-broker-default-0 -c kafka -- bash -c \
+                'echo "Hello World at: $(date)" | /stackable/kafka/bin/kafka-console-producer.sh \
+                --bootstrap-server kafka-broker-default-0-listener-broker.$(NAMESPACE).svc.cluster.local:9093 \
+                --producer.config /stackable/config/client.properties \
+                --topic test-topic'
+          volumeMounts:
+            - name: airflow-credentials
+              mountPath: /airflow-credentials
+      volumes:
+        - name: airflow-credentials
+          secret:
+            secretName: airflow-credentials
+      restartPolicy: OnFailure
+  backoffLimit: 20 # give some time for the Airflow cluster to be available

demos/airflow-scheduled-job/05-enable-and-run-kafka-dag.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: start-users-job
+spec:
+  template:
+    spec:
+      containers:
+        - name: start-users-job
+          image: oci.stackable.tech/sdp/tools:1.0.0-stackable0.0.0-dev
+          # N.B. it is possible for the scheduler to report that a DAG exists,
+          # only for the worker task to fail if a pod is unexpectedly
+          # restarted. The wait/watch steps below are not "water-tight" but add
+          # a layer of stability by at least ensuring that the cluster is
+          # initialized and ready and that all pods are reachable (albeit
+          # independent of each other).
+          command:
+          - bash
+          - -euo
+          - pipefail
+          - -c
+          - |
+              # Airflow: wait for cluster
+              kubectl rollout status --watch statefulset/airflow-webserver-default
+              kubectl rollout status --watch statefulset/airflow-scheduler-default
+
+              # Airflow: create users
+              kubectl exec airflow-webserver-default-0 -- airflow users create \
+                --username "jane.doe" \
+                --firstname "Jane" \
+                --lastname "Doe" \
+                --email "[email protected]" \
+                --password "jane.doe" \
+                --role "User"
+
+              kubectl exec airflow-webserver-default-0 -- airflow users create \
+                --username "richard.roe" \
+                --firstname "Richard" \
+                --lastname "Roe" \
+                --email "[email protected]" \
+                --password "richard.roe" \
+                --role "User"
+          volumeMounts:
+            - name: airflow-credentials
+              mountPath: /airflow-credentials
+      volumes:
+        - name: airflow-credentials
+          secret:
+            secretName: airflow-credentials
+      restartPolicy: OnFailure
+  backoffLimit: 20 # give some time for the Airflow cluster to be available

demos/airflow-scheduled-job/06-create-opa-users.yaml

@@ -5,12 +5,8 @@ metadata:
   name: airflow
 spec:
   image:
-    # Currently does not work with the kubernetes executor S3 logging
-    # (and its still marked experimental as of release 25.7). See:
-    # https://github.com/apache/airflow/issues/50583
-    # https://github.com/apache/airflow/issues/52501
-    # productVersion: 3.0.1
-    productVersion: 2.10.5
+    productVersion: 3.0.6
+    pullPolicy: IfNotPresent
   clusterConfig:
     loadExamples: false
     exposeConfig: false
@@ -46,7 +42,7 @@ spec:
         mountPath: /stackable/minio-tls
   webservers:
     roleConfig:
-      listenerClass: external-unstable
+      listenerClass: external-stable
     envOverrides: &envOverrides
       AIRFLOW_CONN_KUBERNETES_IN_CLUSTER: "kubernetes://?__extra__=%7B%22extra__kubernetes__in_cluster%22%3A+true%2C+%22extra__kubernetes__kube_config%22%3A+%22%22%2C+%22extra__kubernetes__kube_config_path%22%3A+%22%22%2C+%22extra__kubernetes__namespace%22%3A+%22%22%7D"
       # Via sealed secrets and pod overrides, just kept for reference here